>putting Serializable objects in the session is surely a good idea >in general.
I agree, especially, as you mention, if we intend to distribute sessions among various containers. >Tomcat's session-fixation-prevention amounts to changing the session >identifier while keeping the session in-tact. So unless you are using >distributable sessions, this is unlikely to be the problem. You're absolutely right. I now have a serialized attribute, which is still lost upon the creation of the new session. Is there anything similar I can try, to ensure that the session attributes from the previous session are faithfully copied to the new session, after session-fixation-prevention does its thing? --Hardy ________________________________________ From: Christopher Schultz [ch...@christopherschultz.net] Sent: Thursday, September 10, 2015 2:25 PM To: Tomcat Users List Subject: Re: seeking help with stabilizing the persistence of a JSESSIONID -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hardy, On 9/10/15 1:00 PM, Pottinger, Hardy J. wrote: > The session attribute we are creating to hold the flag to indicate > the session is "interrupted"... is not serializable... which I > think means that, when the new session is created as part of > session fixation protection, the "interrupted" flag won't transfer > to the new session. Tomcat's session-fixation-prevention amounts to changing the session identifier while keeping the session in-tact. So unless you are using distributable sessions, this is unlikely to be the problem. > So... I *think* what I might need to do is set a maker for our > request class that it implements Serializable. > http://stackoverflow.com/questions/7444463/how-do-i-make-the-session-d ata-serializable Only > putting Serializable objects in the session is surely a good idea in general. > I'll let you know if this works out. I'm interested to hear about your experience. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV8dlAAAoJEBzwKT+lPKRYXtsQAJtR7dF79KCPRNjGt2jGtGwM 3r+SAmfTkNkQtxghd2VI+G8+BHUNZUzR6aNdpZcXf8N3Gwtbvpc+LRLgu7TH0d6E A1KSSMp6V7jTW+TfLlHOa4y2T0uAzgbLwvNN6jGgRTwUNbG2eyJ/zUotQWiYWOhi T02nNNSt2gz838Z/WSWpx/8IFS3T1i6ny4QRdFwsItFyiNJ4fV8AULVzjDp1fIdd cuBLCFEqoMcNoWymc5IFEULtLc87Mzec52+J6robJFh1Z+2TkDSbtFWSBD2CqoPI wIR405EUX/gaBkivnvk81J4TeOqRcEN1nc+YWPYpFbW65u0WXnG85zf58HSIaV59 Z+5FIh6/yecTJh/hRugPg/PgSIjFxo6Q2l9t2QaWqsqwNS7KyZfRqpeZWOUBJYH4 13cPBcv08LOrUUmh1tIlOpw6+3e0CqSokTtppf0Aqt8FK7ng2t7TjVrgt6GYEZGu wMMVMboERXPFeKD618lxcn4mp89BH3iKlR3d0LDA+ZIn/68ZatDZFAUl+vhO49xn tKKbQY6dAYx3VU8NqiXuWVup8RYRxRJlymuseUaf95GOo7JW+hvw6PbPNRYWTpMk E6xmCdyD0hMMZXx5cnqRHBuVaXEkhbNK5o2j5WB1/sitDli/G8NUN/yN+KLrNbMC 9VRK0C/SkcNLXAosN6NP =Wr84 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
